A call for greater limits on governmental surveillance of the population

It feels like I cannot turn around without reading more news concerning surveillance of citizens by their own (or other) governments in various forms. This especially where computers are concerned, e.g. requests that the use of the infamous German “Bundestrojaner”* be expanded.

*A tool ordered and used by the German government to infiltrate computers in the same way that some illegal malwares do.

This is extremely unfortunate for a number of reasons, including (but likely not limited too):

The contents of a computer can be extremely intimate and personal in many ways, some obvious, some not. If someone has access to the contents of a computer, this can* give insights into the owner in a manner that is usually not achievable e.g. through getting an ordinary search warrant and going through a house, top to bottom. Even a diary is typically less revealing, because a diary will be incomplete through factors such as limited self-knowledge, self-censorship (due to the fear that others do read the contents), and lack of time or space. A computer can contain personal notes, private correspondence, fan-fiction never intended for publication, … among the more obvious items; surfing habits, movie preferences, porn interests, sleeping patterns, … among the less obvious. This only passively reading the contents on or communications with the computer—install a surveillance tool and there is no limit to what can be found. A computer can simply give so much private information about someone that an intrusion can only very rarely, if at all, be ethically justified—we are on a completely different level from e.g. a (physical) search warrant, more comparable** to actually being in the head of the computer’s owner.

*There is a great variation from person to person, but by now a majority would likely already be included in this “can”—and the proportion is rapidly increasing.

**In some cases, myself included, there might actually be more to be deduced from the computer’s hard-drive than from the owner’s memory.

Digital evidence is so easy to falsify that its actual value is far smaller than for physical evidence. Yes, physical evidence can be planted. Yes, photos and film clips can be manipulated or even, by now, generated through CGI. No, they are not comparable to e.g. claims about what was found on a computer. As soon as another party has the ability to write to the disk, all bets are off. If a knowledgeable entity like the NSA decided to frame someone, it would be a walk in the park, if they had digital access*—and so long as digital evidence is allowed in a court system that has yet to catch on to the uselessness of such evidence.

*Note that this need not be a case of physical access. Tools like the aforementioned “Bundestrojaner” could equally well be used to plant evidence remotely.

Many of the measures used by governments risk the security of computers from other parties*. Consider e.g. the ever popular idea of limiting the key length of encryption methods or forcing software makers to install backdoors in the software for use strictly by the government and strictly after a court order: The shorter key length still makes it far easier for other hostiles to attack the computer; at least some of the backdoors will be discovered or published sooner or later (probably sooner…), and even those that go unpublished can still introduce weaknesses. Or consider recent claims of the U.S. government keeping back information about discovered security holes (so that they can use them), which prevents the software makers from fixing the problems, which opens the door for independent discovery and abuse by e.g. computer criminals…

*An interesting physical example of the same principle is the “TSA lock” often seen on luggage today: It is there so that the TSA (and only the TSA) can unlock a piece of luggage without damaging it—ostensibly, all in the interest of the travelers. In reality, most (all?) key patterns have been leaked to the Internet, are available as input files for 3D printers, and any Tom, Dick, Harry with a 3D printer can get a set of physical keys and unlock any “TSA lock”…

Other problems can occur that are out of proportion in comparison to what used to be the case. For instance, if someone was suspected of preparing a bank robbery or a terrorist attack, hording child pornography, trying to subvert the government, …, in the past, there might be a thorough house search and possibly some temporary confiscations, but by-and-large the house was still usable, most of the contents would still be present, and (barring an actual find) life would go on as before, except for an emotional scar. Today, the computer(s) would simply be confiscated, likely including any backups, and the victim/suspect would be severely hindered, possibly to the point that he cannot complete important business communications on time, cannot access important personal data, …

For a “democratic”* system to work, one of the main purposes of the constitution and laws has to be to protected the citizens from the government. The system must work even when the government is evil. If the current government happens to be good, the laws still has to protect the citizens, because there is a considerable risk that the government will be evil at some later time. To boot, the very concepts of “good” and “evil” can be very subjective, with the most evil regimes (by the standards of many others) often being convinced that they are the good guys, actually defending** the world against evil… To boot, even a more or less “good’ government can contain bad apples, e.g. a DA looking for re-election and willing fake evidence for a conviction with great PR value or a policeman who “knows” who the perp is and plants the evidence that “should” have been there. To boot, the machineries of bureaucracy, the incompetence of civil servants, and similar problems, tend to make even the most well-intended system fall well short of “good”.

*I am always at loss to translate concepts like “Rechtsstaat”, but (strictly speaking incorrectly) variations of “democratic” are often used, as are “civic rights”. U.S. citizens often refer to the opposite with variations of “unconstitutional”.

**One of the reasons that I tend to judge people, parties, countries, …, based on their actions rather than their opinions: Fascist is as fascist does.

The current trends make a mockery of the principles behind a sound constitution. How can the citizens defend themselves when the government uses any and all means to circumvent security—including absurdities like requiring suspects to hand out passwords to investigators.

Correspondingly, I call for a complete reversal of course, where “digital trespassing” is considered a very severe crime, government surveillance of its citizens is reduced to the absolute minimum, tools like the “Bundestrojaner” are categorically and unequivocally forbidden, the citizen’s right to protection (including a very wide interpretation of “taking the fifth” and its equivalents) against the government is given priority, etc.

Two concluding remarks:

Firstly, while there may be cases so extreme that they do require or can justify at least some of the above methods (say, that someone is suspected of planning a bombing of a soccer stadium), these cases do not, can not, and must not justify the extension of these methods to more trivial suspicions. The “slippery slope” is a particular danger, where data is gathered or methods used today for the specific purpose of investigating terrorism, but where the police, certain politicians, …, will clamor for their use for less severe crimes tomorrow—and where the movie and music industry will demand their use for civil cases two days from now.

(And even with extreme cases caution must be used, because one of the things a good justice system should protect against is accusations raised out of malice. If standards become to different when the crime changes, the malicious party only has to alter the crime of the accusation in order to circumvent the protections. I have myself been torn out of sleep and forced to open the door to police in the middle of the night, because a mentally demented piece-of-shit landlord had claimed that I would keep a woman captive in my apartment. Because the alleged crime was so urgent, the police insisted that they did not even need a search warrant…)

Secondly, there is always a risk that data is spread to the wrong group of people or the wrong time, as soon as even a non-hostile entity gets its hand on it. (E.g. because someone hacks a police server with confiscated data, because an individual member of the police, deliberately or accidentally, takes data home, because some juicy piece of information is leaked to the press in exchange for money, …) For instance, what if an in-the-closet gay movie star or politician is the suspect of a crime, acquitted, but the fact that he is gay is discovered and eventually made public without his consent? At a minimum, this is severe violation of his privacy. In a less gay friendly era or a less gay friendly country than e.g. modern Germany, he could have a very severe problem, starting with a termination of his career.

[…] *One of the reasons I stress the importance of “civic rights” over e.g. the interests of the police is that doing this is not always easy (or even recommendable) and not always under the control of the citizen: There are laws that are outright unjust, others that are arbitrary or unpredictable, and even someone who still sticks to the letter of the law can be the victim of false accusations (or unwarranted suspicions arising for other reasons). This is particularly dangerous when computers come into play. […]

[…] The governments around the world to consider regulations* and penalties to counter the current negative trends and to ensure that security breaches hurt the people who created the vulnerabilities as hard as their customers—and, above all, to lay off idiocies like the Bundestrojaner! […]

[…] in Austria. I had planned to write a post on these (see also a few older discussions, e.g. [1], [2]), but yesterday I encountered a Canadian case so grotesque and Kafkaesque that I will refocus […]

[…] ***I note e.g. disproportionately negative effects on the victims of the confiscation; the uselessness of any found evidence through the ease with which digital evidence can be planted; and the uselessness of a search on the computer of a “big fish”, who will have the means to protect himself through use of encryption and similar technologies. See also e.g. [2]. […]

[…] have anonymity (respectively lack thereof) in the frame of police work. I have earlier (notably in [2]) objected to e.g. computer searches for reasons like the presence of highly personal material and […]

[…] items would be a massive step in the wrong direction, as I discuss in e.g. a call for the opposite. (Other texts of relevance include [1], [2], [3].) I note in particular, that the surveillance in […]